Rutland City -based Rutland Regional Medical, the biggest community hospital in Vermont, has uncovered a hack of its IT systems where cybercriminals obtained access to the email accounts of nine employees and potentially viewed/obtained patients’ protected health information.
The hack was discovered on December 21, 2018 when a staff member of the medical center saw that their email account had been used to transmit large quantities of spam emails and on December 28, 2018, a possible security breach was made known to the medical center’s IT department. The IT department found that, on December 31, that the staff member’s email account had been remotely accessed by an unauthorized person.
The account was quickly secured and a third-party forensic specialist was called in to carry out an investigation into the breach. While the investigation into the breach is still current, the forensics specialist found that, on February 6, 2019, nine email accounts had been accessed between November 2, 2018 and February 6, 2019.
The ranges of sensitive data in the compromised email accounts included patients’ full names, dates of birth, contact details. patient identification numbers, medical record numbers, financial data, diagnoses, treatment information, Social Security numbers, and health insurance data. The breach was restricted to email accounts. The EMR system and other internal systems were no impacted by the breach.
Rutland Regional Medical Center will be issuing notification letters to patients whose PHI may have been obtained in due course.
New safeguards and security measures will be put in place to further secure patients’ protected health information and enhance email security to help prevent additional breaches of this nature.
The breach has been made known to the Department for Health and Human Services’ Office for Civil Rights (OCR). The breach portal states that 72,224 patients have been impacted by the breach.